More than 240,000 websites that use Ruby on Rails (RoR) web applications are at risk of being exploited by attackers after longstanding vulnerabilities in the web programming framework were revealed.

Download this free guide

The importance of web security

Join us as we take a look at the different approaches you can take in order to bolster your web security. We find out how to identify and address overlooked web security vulnerabilities, how security controls affect web security assessment results and why web opportunities must be met with appropriate security controls.

By submitting my Email address I confirm that I have read and accepted the Terms of Use and Declaration of Consent.

By submitting your personal information, you agree that TechTarget and its partners may contact you regarding relevant content, products and special offers.

You also agree that your personal information may be transferred and processed in the United States, and that you have read and agree to the Terms of Use and the Privacy Policy.

This means all RoR users should upgrade immediately to a patched version of the software to avoid the risk of full remote code execution against any RoR application.

The vulnerabilities (CVE-2013-0155 and CVE-2013-0156) deal with how data entered by the user is parsed and handled by the RoR application.

CVE-2013-0156 allows full remote code execution against any RoR application that has the XML parser enabled, said Adam O’Donnell, chief architect in the Cloud Technology Group at security firm Sourcefire.

“It means that anyone can run a Unix command with the same privileges as the Ruby on Rails application under the default install,” he wrote in a blog post.

Both issues can be remediated by RoR programmers and administrators by upgrading to the latest version of RoR, and there are workarounds if this is not an option, said O’Donnell.

CVE-2013-0155 can be addressed only by adding additional data parameter scrubbing code to the application, while the CVE-2013-0156 can be addressed by disabling the XML parser.

“This may not be an option for every website as they may consume XML from the user as a matter of routine operation,” said O’Donnell.

He urged all those using the framework to take the matter seriously because the vulnerabilities appear to allow anyone to execute commands on the web server that hosts the software, as well as pull any data out of the back-end database that the web server itself can access.

O’Donnell warned that many organisations could be vulnerable for hours or days, some for weeks or longer because changing a programming framework is no small task.

Many organisations need to go through several steps between development and testing and finally deployment.

“During this window the only thing that will stop an attacker is some form of network-layer technology that understands how the vulnerability is exploited,” he said.

According to O’Donnell, the RoR vulnerability could be used for the creation of a worm, but it would be far worse if attackers were to use the vulnerability to silently compromise massive numbers of vulnerable websites, grab everything from the database, and install persistent back doors in the infrastructure of every organisation running the vulnerable code.

“They could also silently post a client-side exploit that targets people who come to that site, commonly known as a Watering Hole attack. A worm would likely force everyone to fix their infrastructure immediately, while silent exploitation may not be as motivating,” he said.

0 comments

Register

Login

Forgot your password?

Your password has been sent to:

By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy